Voting System Examination 
Dominion Voting Systems 
Democracy Suite 5.5 

Prepared for the 
Secretary of State of Texas 


James Sneeringer, Ph.D. 
Designee of the Attorney General 


This report conveys the findings of the Attorney General's designee from an examination 
of the equipment listed below. 


Examination Date 
Report Date 


January 16-17, 2019 
February 7, 2019 


Components Examined 


EAC/NASED Qualification 


Component 

Version 

Date 

Number 

EMS-Election Management 
System 

5.5.12.1 

9/14/2018 

DVS-DemSuite5.5 

ADJ-Adjudication 

5.5.8.1 

9/14/2018 

DVS-DemSuite5.5 

ICC-ImageCast Central 

5.5.3.0002 

9/14/2018 

DVS-DemSuite5.5 

ICP-ImageCast Precinct 

5.5.3.0002 

9/14/2018 

DVS-DemSuite5.5 

ImageCast X BMD 

5.5.10.25 

9/14/2018 

DVS-DemSuite5.5 

ImageCast X DRE w/VVPAT 

5.5.10.25 

9/14/2018 

DVS-DemSuite5.5 

ImageCast X BMD Classic 15" 

5.5.10.25 

9/14/2018 

DVS-DemSuite5.5 

ImageCast X BMD Classic 21" 

5.5.10.25 

9/14/2018 

DVS-DemSuite5.5 

The Democracy Suite 5.5 (or D- 

■Suite 5.5) is a 

modern voting system that is new to 


Texas, although D-Suite is in use in other states. A distinguishing feature is the 
pervasive use of commercial of-the-shelf components, or COTS components in the 
industry parlance. COTS components are standard hardware or software products, as 
opposed to custom-made components. 


For example, the D-Suite voting terminals are commercially available Android tablets 
that include the stand and the smart card reader that is used for voter authentication. 
Similarly, the PCs, networking gear, hard drives, printers, and some scanners are COTS. 
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D-Suite Components 


ImageCast X (or ICX) is the name of the line of voting stations, which all share identical 
software (version 5.5.10.25). The X in the name highlights the interchangeability of the 
software and in one case even the tablet hardware. 

The ImageCast X BMD Classic 15" and 21" can only serve as ballot-marking devices (hence the 
BMD in the names). These devices do not tabulate at all, and therefore do not need zero-tapes, 
precinct tallies, or the like. When a voter submits a ballot, the BMD simply prints the ballot on 
the attached printer, but does not save anything on the device. The printed ballot must still be 
scanned before it can be counted. It contains the cast-vote record in two formats: a barcode 
(for use by the scanner) and a printed, human-readable list (which can be visually verified by 
the voter). If there should be a question about whether the two match, it can be easily verified 
by scanning the barcode and visually checking that it corresponds to the printed votes. 

The ImageCast X (without the word classic ) can be used either as a BMD or as a direct-recording 
electronic (DRE) voting station. As a BMD, it performs as described above. As a DRE, it records 
the voter's choices in redundant internal memory. It also provides a voter-verifiable paper audit 
trail (or VVPAT). The ImageCast X 
voting stations are more expensive than 
the ImageCast X Classic stations. 

The VVPAT (on the right in the photo) 
shows the voter a printed record of how 
they voted, which they can verify before 
finally casting their ballot. These paper 
cast-vote records can later be used to 
audit the election results, providing 
voters with the confidence that comes 
from a paper record. This record is 
printed on a continuous roll of thermal 
paper, which the voter can view through 
a window in the VVPAT printer but 
cannot remove, ensuring that the voter 
does not leave with the paper record. 

Each voting station is an independent 
stand-alone system, which cannot 
communicate with other stations or 
election central except by physically 
carrying a flash drive or compact flash 
card, and then only when the polls are 
closed. The Android tablets must be in 
kiosk mode, which prevents access to 
the Android features during voting. 

Finally, election setup, tabulation, and other related tasks are done with mostly COTS 
components and the proprietary EMS software. Most of the components are on a LAN (local 
area network), and no other devices are to be connected to that LAN. All election data and 
results are stored on self-encrypting hard drives and are also encrypted by the database system. 
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Microsoft SQL Server. The hard drives are redundant (RAID 1), meaning that each piece of data 
is stored on two separate hard drives, so nothing is lost even if one hard drive fails. There are 
two configurations, one that allows multiple client computers connected to a single computer, 
and one where everything is on the same computer. The computers run a hardened Windows 
operating system. 


Voting 

Election Setup. Election setup (such as entering races and assigning candidates to them) is 
done using a GUI (graphical user-interface) that is part of the Election Management System. 

Authentication for setup and central count administration. D-Suite uses two-factor 
authentication for administration. Access is granted only by both entering 
the correct PIN and the presenting a token, which will be either an iButton 
(see photos) or a smart card, depending on the device. According to the 
vendor, an iButton is more durable then a smart card, but they serve the 
same purpose. In either case, the token is created and placed on the 
iButton or smart card using the Election Management System. 

Zero-total report. Zero totals are automatically written on the VVPAT printer. Note that no 
zero report is needed for the ballot-marking devices (BMDs). 

Ballot selection. Authorization to vote and ballot selection are done using smart cards 
generated by Dominion software. A poll worker enters the ballot style and the software writes it 
on a smart card in a secure way. The voter then takes the smart card to any voting station to 
vote. The voter cards are automatically cleared after voting, so they cannot be reused. Also, as 
a backup, a poll-worker card can be inserted into the voting station to allow manual selection of 
the ballot style. This would be used when, for some reason, no smart cards are available. 

Voting. Voting is done on a touch screen, or ballots can be marked manually. 

Vote Storage. DRE votes are recorded on redundant internal memory and on a smart card. 

Transfer Results. Results are transferred from the DREs and voting stations to central count 
using compact flash cards or USB flash drives, depending on the device. 

Print precinct results. Precinct results are printed at the voting station using the VVPAT 
printer. 

Straight party / crossover. Straight-parting voting works and crossover voting does too. 
However, see Clearing Straight-Party Votes, below 

Accessibility. Verification of accessibility is performed independently by the office of the 
Secretary of State, but the examiners had the opportunity to observe and try the accessibility 
components. 
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Comments 


The use of many COTS components presumably reduces the cost of D-Suite significantly. 
If this savings is passed on to the jurisdictions, then that's a very significant advantage. 

The optical scanner has a clever feature that appends to each ballot image an "audit 
mark" that records how the ballot was interpreted by the scanner. 

Concerns 

1. Adjudication results can be lost. During adjudication of the ballots in the test 
election one of the Dominion representatives made a series of mistakes that caused the 
entire batch of adjudication results to be lost. One can argue that the exact situation is 
unlikely to recur, but it happened with one of the most qualified people who will ever use 
the system. It's disappointing is that the software would be designed in such a way that 
this could happen. Each adjudicated ballot should be written into the database 
immediately in such a way that it cannot be lost. It's hard to argue that such a system 
is suitable for its intended purpose. 

Recommendation: Certification should be denied. 

2. DRE station failure. Examiner Brian Mechler discovered that simply unplugging 
and reconnecting the cord that supplies power to the VVPAT from the Android tablet will 
usually cause the tablet to fail. After the first time that this happened, the Dominion 
team tried several things to get the tablet to function again. Even rebooting the tablet 
did not work. It took a long time (perhaps 10-20 minutes) for the Dominion people to 
discover that after powering the tablet down and removing the battery, the tablet would 
work again when power was restored. This is not very likely to happen, but if it did 
happen in a real polling place, it would be extremely difficult to get the machine working 
again. 

Recommendation: Certification should be denied. 

3. Clearing Straight-Party Votes. If a voter who has voted straight party decides to 
override their straight-party vote by clearing the vote in one contest, the D-Suite will 
give a message and refuse to clear the vote. If the voter ignores the message, the 
straight-party vote will be silently reinstated when they leave the page. 

In the photo below you see what happens after a Republican straight-party vote when 
the voter decides not to vote for Republican John Doe and wants to leave the contest 
unvoted. If the voter ignores the message and continues, they will still have voted for 
John Doe, even though the box remains unchecked. 

Since straight-party voting will soon be discontinued in Texas, this is not a major issue, 
but it would be if straight-party voting were ever allowed again. Certification should 
carry the condition that D-Suite cannot be used in elections with straight-party voting. 
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4. Quality of Scans. When we were adjudicating ballots, some of the scans were so 
poor that the write-in votes were very difficult to read; reading even the preprinted text 
was sometimes difficult. The reason for this is unclear, because it's hard to image any 
modern scanner producing such poor results. 

Recommendation: Certification should be denied. 

5. VVPAT preserves the order the ballots were cast. The VVPAT uses a roll of 
thermal paper, and therefore necessarily preserves the ballots in the order they were 
cast. This introduces a privacy concern. If there is only one voting station, comparing 
the voter signin records with the VVPAT would reveal how people voted. However, since 
the VVPAT records are not timestamped, the efficacy of this procedure drops off sharply 
after the first few voters. 

Recommendation: Certification should be conditioned by the requirement that there 
be at least two functioning D-Suite voting stations in each polling location. 

6 . Election definitions were created on a different version of the software. 

To facilitate testing, Dominion created in advance the election definition we used during 
the exam, as requested by the Secretary of State. However, they did so using an older, 
uncertified version of D-Suite. In my opinion, this does not introduce a significant risk, 
but it shows a disturbing lack of care by Dominion. 

7. Emergency Ballot Slot Cannot be Resealed. In the event of a prolonged 
power failure, there must be a way to cast a paper ballot when the scanner is not 
working. On the collapsible ballot box there is a flap on the corrugated side that can be 
punched out to give access to a compartment that stores such ballots. This flap must be 
sealed when not in use. Since there is no provision for placing a seal on the flap after it 
has been punched out, the law prohibits that ballot box from being reused in that case. 
This is a minor problem, but a possible expense. 
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8. Voter May have to Start Over. Because Dominion forgot to bring a minor 
component that is required by law, the formal accessibility testing was performed the 
next morning by the Secretary of State's office. Although I was not present, I 
understand that another problem was identified, and it appears that this problem could 
affect any voter - not just disabled voters. Somehow the printer tray became ajar 
during voting, and the system did not notice until the voter attempted to cast their 
ballot. The system would not accept the ballot and all the voter's choices were lost. A 
poll worker card was required to clear the problem. Apparently, this is only a problem if 
the printer tray becomes ajar during voting; if it's ajar before the voter starts the ballot, 
the problem can be solved by simply pushing the tray in. 

This problem is worst for disabled voters, since it may take them a long time to vote, so 
more is lost by starting over. However, it would be frustrating for any voter. 

Recommendation: One could make a case that this is tolerable, since nothing is lost 
except the voter's time and it should not happen very often, but it should be fixed, and 
future versions should not be certified without this fix. 


Conclusion 

I like the idea of using COTS components to save taxpayer money, and Dominion has 
done a good job of finding COTS components and minimizing the number of custom 
components. 

Nevertheless, I cannot recommend certification. Computer systems should be designed 
to prevent or detect human error whenever possible and minimize the consequences of 
both human mistakes and equipment failure, and I do not believe Dominion has done an 
acceptable job. 
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